Privacy & Data Residency

We protect personal information with Canadian residency by default.

This policy explains what we collect, why we collect it, where it is stored, and how you can exercise your rights.

Last updated: November 20, 2025

Scope
Public website and Compliance Health platform (including Monitor and related services).
Residency
Customer Data hosted in Canada with no default cross-border replication.
Security
TLS 1.3 in transit, AES-256 at rest, RBAC + MFA for privileged access.
Rights
Access, correction, deletion (where applicable), consent withdrawal, and regulator complaints.

At-a-glance summary

  • Who we are. Compliance Health Technologies Inc. (“Compliance Health”, “we”, “us”).
  • Scope. This policy covers our public websites and our Compliance Health platform (including “Monitor” and related services). Customer-specific processing terms are set out in our Terms and the Data Processing Addendum (DPA) available on request.
  • Residency. Customer Data is hosted in Canada. We do not enable cross-border replication by default.
  • Security. Encryption in transit (TLS 1.2+; TLS 1.3 preferred) and at rest (AES‑256); role‑based access and multi‑factor authentication for privileged access.
  • Your rights. You can access, correct, or delete your personal information; withdraw consent; and complain to applicable privacy regulators. For example, in Alberta this may include the Office of the Information and Privacy Commissioner.

Who we are & how to contact us

Compliance Health Technologies Inc. is a Canadian company. For privacy questions or requests, email privacy@compliancehealth.ca.

What we collect

We collect only what is needed to deliver and improve our services, such as:

  • Account & organization data (name, email, organization/role).
  • Credentialing & compliance artifacts you or your organization upload (e.g., certifications, licenses/registrations, attestations, expiry dates, and related documents).
  • Service & security logs (e.g., authentication events, task activity, IP address, user agent) and minimal usage telemetry for reliability and improvement.
  • Program‑required evidence for education/placement contexts (e.g., immunization proof), where authorized by your institution or employer.

We do not collect marketing profiles from our public website. Any analytics we use are privacy‑preserving or aggregate and avoid tracking individuals.

How we use personal information

  • Provide, operate, and secure the platform and related services.
  • Verify credentials, manage training/attestations, and generate audit‑ready evidence for authorized administrators.
  • Send service notifications (e.g., expiry reminders, security notices).
  • Improve reliability, safety, and user experience (aggregate or de‑identified analysis where possible).
  • Meet legal, regulatory, and contractual obligations.

Lawful basis & roles

We act as a service provider/processor for institutional and enterprise customers and process data only under their instructions. For our direct relationships (e.g., account signup), we rely on consent and/or our legitimate interests in providing secure, reliable services.

Public-sector customers

Where we process information on behalf of a public body (e.g., an Alberta post‑secondary), we act as a service provider under applicable access and privacy legislation and follow the customer's written directions and retention schedule.

Data residency & transfers

Primary hosting is in Canada. Backups and disaster‑recovery copies are also kept in Canada. We do not configure cross‑border replication by default. If a specific customer authorizes a cross‑border transfer (e.g., for redundancy), we will apply encryption and contractual safeguards and document the change.

Security measures

  • Encryption in transit and at rest using industry-standard protocols and algorithms.
  • Role‑based access control (RBAC) and multi‑factor authentication (MFA) for privileged access.
  • Environment separation; least‑privilege service accounts; audit logging.
  • Antivirus scanning for uploaded files before processing; file‑type validation.

Additional details are provided in our Security Overview.

Retention

We retain personal information only as long as necessary for the purposes above or as required by law/contract. Current defaults include:

  • Audit logs: retained 90 days by default.
  • Temporary OCR artifacts: deleted within 24 hours once processing completes.
  • Credential artifacts & records: retained for the customer‑approved program lifecycle and then deleted per the customer's schedule.

Your privacy rights

  • Request access to, or a copy of, your personal information.
  • Request correction or deletion (subject to legal/contractual limits).
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with an applicable privacy regulator. For example, in Alberta this may include the Office of the Information and Privacy Commissioner.

To exercise your rights, contact privacy@compliancehealth.ca. We will respond within applicable timelines.

Cookies & analytics

Our marketing website uses minimal, privacy‑preserving analytics. The application uses essential cookies (e.g., for authentication/session). You can disable non‑essential cookies via your browser settings.

Children

Our services are intended for use by organizations (and their authorized users). We do not knowingly collect information from children without the authorization of the relevant institution/parent/guardian where required by law.

Service providers & subprocessors

We use vetted service providers to operate the platform. Key providers for Customer Data processing include cloud infrastructure and managed services hosted in Canada. We will update this section as our providers change and will notify affected customers where contractually required.

Core subprocessors

  • Cloud Infrastructure: AWS Canada Central (ca-central-1)
  • Database Services: AWS RDS (PostgreSQL) hosted in ca-central-1
  • Object Storage: AWS S3 hosted in ca-central-1
  • Email Services: Postmark (Canada-hosted infrastructure)

All subprocessors are contractually bound to maintain data residency in Canada and implement appropriate security measures.

Changes to this policy

We may update this policy to reflect operational, legal, or regulatory changes. Material changes will be posted here with a revised “Last updated” date and, where required, we will provide advance notice to customers.

Contact

Privacy Officer
privacy@compliancehealth.ca